@proofpoint Example UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1000005345.0.0.0 Safari/537.36 Edg/1000005345.0.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10408.0.0.0 Safari/537.36 Edg/10408.0.0.0

@proofpoint The threat actor is seen rotating through over half a million IPs, predominantly IPv6. The method for spoofing user agents results in non-existent browser versions with a matching Chrome & Edge number, which can be used to uniquely characterize the campaign.

@proofpoint Windows Live Custom Domains (92bcc0b3-6fb6-40a5-9577-53629580dc3e) is a legacy service that allows domain owners to use Outlook with their own domains. No malicious activity was observed to the application in the following months, indicating a shift in attacker tactics.

Researchers at @Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains. Activity was observed from September 20th-30th, affecting nearly half a million users in over 4,000 tenants.

October is the month of pumpkin spice & #cybersecurityawareness. 🎃 On a new Discarded #podcast, the @threatinsight team recognizes the critical role humans play in the attack chain. Deep dive into why #socialengineering is at the 💙 of so many attacks. https://t.co/RQOcZeIt0Z

#OperationEndgame was a collaborative effort between global law enforcement and private sector partners, including Proofpoint @threatinsight. At #ProofpointProtect 2025, attendees got an exclusive play-by-play of exactly how the operation disrupted global ransomware networks.

TA415’s pivot to target organizations and those tied to U.S.-China relations is noteworthy given today’s geopolitical landscape. See our full blog for a detailed breakdown of these July and Aug 2025 campaigns, infection chain, IOCs, and @ET_Labs rulesets.

Key finding 3️⃣: This marks a tactical shift away from earlier malware like the “Voldemort” backdoor, showing the group’s ability to adapt. Key finding 4️⃣: A primary objective of these campaigns is likely the collection of intel on the trajectory of U.S.-China economic ties.

Key finding 2️⃣: Instead of traditional #malware, the campaigns deployed Visual Studio Code Remote Tunnels. This is likely a concerted effort from #TA415 to blend in with existing legitimate traffic to trusted services, including Google Sheets/Calendar, & VS Code Remote Tunnels.

The group is impersonating trusted organizations & policymakers to target U.S. gov't, academic, and think tank targets. Key finding 1️⃣: TA415 spoofed the U.S.-China Business Council and a sr. congressional leader to deliver spearphishing lures tied to trade and sanctions policy.

The @Proofpoint threat research team published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations. ⤵️

Stream now: A new episode of Proofpoint's DISCARDED #podcast. 🎙️ https://t.co/ovPd7sq0Md Listen as Proofpoint's @infosectimmy shares his insights on request-for-quote (RFQ) fraud—a growing scam which combines Business Email Compromise (BEC) with stolen physical goods. 📦

Hot sauce and hot takes: For the first time, the Only Malware in the Building team is together in-studio—and they’re turning up the heat. 🔥 Think you’ve seen them tackle malware mysteries before? Wait until you see them sweat. Stream now on YouTube!

While they contained an executable with the same name, the threat actor did not provide the password for these files so they could not be extracted and lead to any malware installation.

On September 2-3 some of the files attached to the issues had random file names and were encrypted.

Although GitHub has removed some of the malicious comments, the links in the messages remained active as of September 3, including the actor-controlled URLs.

MD5: 4d8730a2f3388d018b7793f03fb79464 SHA1: cbc5b2181854a2672013422e02df9ea35c3c9e1c SHA256: c8af1b27b718508574055b4271adc7246ddf4cec1c50b258d2c4179b19d0c839

&X-Amz-Date=20250903T111859Z&X-Amz-Expires=300&X-Amz-Signature=f0cd8226472614321e6b9e3b883bffe0adf9d9255af1207374947ea71d3c8f76&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename% https://t.co/t8FTJQwTyg&response-content-type=application%2Fx-zip-compressed

Retrieved From: hxxps://objects[.]githubusercontent[.]com/github-production-repository-file-5c1aeb/195216627/22101425?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20250903%2Fus-east-1%2Fs3%2Faws4_request [...] [continued in next post]

File name: